Need clarification on ZAP - SAML 2.0 Support

47 views

Skip to first unread message

Pulasthi Mahawithana

unread,

Apr 29, 2013, 10:27:22 AM4/29/13

to zaproxy...@googlegroups.com, Prasad Shenoy

Hi Prasad/ Devs,

I have submitted the draft proposal for the ZAP - SAML 2.0 support[1] here[2].

Here is a summary of it.

I read the sections on HTTP POST and HTTP Redirect bindings on SAML 2.0 spec (on saml bindings) [3]. As mentioned in that the SAML requests/responses can be identified by the parameter "SAMLRequest" or "SAMLRequest". SAML message decoding and the re-encoding (after fuzzing) will be done as specified in the spec depending on the binding used. After decoding the saml message, the user will be given the ability to fuzz the attributes and elements using built in fuzzer or any new SAML specific fuzzer.

Have I got the flow correctly here? Is there anything I have missed?

[1] https://www.owasp.org/index.php/GSoC2013_Ideas#OWASP_ZAP_-_SAML_2.0_Support

[2] http://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/pulasthi7/19001

[3] http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

--

Pulasthi Mahawithana

Undergraduate,

Department of Computer Science & Engineering,

University of Moratuwa,

Sri Lanka.

Reply all

Reply to author

Forward

0 new messages